Software-based watchdog method and apparatus

ABSTRACT

In a computer system which allows simultaneous operation of multiple processes, a software watchdog process operates to monitor a primary process through operating system calls. If the response to an operating system call shows that the primary process is not operating or is over utilizing CPU time, then the primary process is restarted. The software watchdog process may also check and correct configuration and data files before restarting the primary process. Alternatively, rather than using operating system calls, the software watchdog process and primary process may communication through a loop back TCP/IP address for monitoring purposes.

BACKGROUND OF THE INVENTION

[0001] 1. Field of the Invention

[0002] The present invention relates to software monitoring processes. More particularly, it relates to watchdog processes, which monitor the operation of other processes and restart the other processes, as necessary, to maintain proper operation.

[0003] 2. Discussion of Related Art

[0004] Computer processes have been known to occasionally have operating problems. Errors in operation can cause a process to fail or cease to execute. A process may enter a non-exiting loop, or may lose data and cease operation. In order to maintain proper operation, monitoring processes, called watchdog processes, have been used to track operation of another process. When the watchdog process determines that there is a operating problem, it will interrupt the watched process and restart it. In this manner, the main process will be maintained as operating.

[0005] Known watchdog processes have been implemented using circuits separate from those implementing the main process. Typically, these circuits include a counter which is periodically reset by the main process. If the main process fails, then the timer is not reset. Once the timer expires, the watchdog process determines that the main process has failed and operates to restart the process. Such watchdog processes are implemented using a hardware circuit or a separate processor and appropriate software. While these processes assist in preventing the total loss of the main process, they lack the ability to adequately determine or resolve various processing problems. For example, a main process could hang in a loop which resets the timer. Thus, even though the main process has failed, it would not trigger the watchdog process. Therefore, a need exists for a watchdog process which can monitor a main process independent of the type of error.

[0006] Furthermore, the watchdog process cannot determine or correct the error which caused the problem. This can result in the main process failing again after it is restarted. Therefore, a need exists for a watchdog process which can monitor and correct errors which cause the main process to fail.

[0007] Furthermore, for known watchdog processes, the main program must reset the timer of the watchdog process. Thus, the main program must be designed to operate with the watchdog process. The watchdog process cannot operate to monitor other programs. Also, each watchdog timer can only be used to monitor a single program. Therefore, a need exists for a watchdog process which can monitor any program and multiple programs.

[0008] Finally, the watchdog process itself may fail. If the watchdog process fails, the main process could also fail without being monitored. Therefore, a need exists for a watchdog process which can also be monitored.

SUMMARY OF THE INVENTION

[0009] The deficiencies of known watchdog processes are substantially overcome with the system of the present invention through the utilization of a software implemented watchdog process. According to one aspect of the invention a distinct software process operating on the same CPU as a primary process uses calls to the operating system to monitor the operation of a primary process. If the primary process is not executing, or is over utilizing CPU time, it is determined to be non-operating. The primary process is restarted. According to another aspect of the invention, the watchdog process can check and correct damaged configuration or data files used by the primary process before restarting. According to another aspect of the invention, the watchdog process can be used to monitor and restart various primary processes operating on a single computer system. According to another aspect of the invention, a secondary software watchdog process can be included as part of a primary process for fault tolerant operation. The secondary software watchdog process monitors the primary watchdog process to ensure continued operation.

[0010] According to another aspect of the present invention, the primary process and watchdog process communicate information through a loop back TCP/IP address. In this manner, the primary process and watchdog process can periodically send messages. If the watchdog process does not receive a message from the primary process within a certain predetermined time, the watchdog process determines that the primary process is not operating properly and restarts the primary process.

BRIEF DESCRIPTION OF THE DRAWINGS

[0011]FIG. 1 is a block flow diagram for operation of a watchdog process according to an embodiment of the present invention.

[0012]FIG. 2 is a block diagram of the relationship between processes according to a second embodiment of the present invention.

[0013]FIG. 3 is a block diagram of the relationship between processes according to a third embodiment of the present invention.

[0014]FIG. 4 is a block flow diagram for operation of a watchdog process according to the third embodiment of the present invention.

DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS

[0015]FIG. 1 illustrates operation of a software watchdog process according to an embodiment of the present invention. The software watchdog process of the present invention may be implemented in any known computer system which allows simultaneous operation of processes. Such computer systems include personal computers, servers and mainframe computers. Furthermore, to utilize the present invention, according to the first embodiment, the computer system must include an operating system which collects and provides information about process operation. The Windows NT and Windows 2000 operating systems from Microsoft Corporation have such functionality. Other operating systems also provide similar functionality. Additionally, the software watchdog process may be created in any known programming language. Preferably, the software watchdog process is stored in the memory of the computer system and is automatically accessed and operated when the computer system is started or when the primary process is started.

[0016] As illustrated in FIG. 1, at step 10, the software watchdog process utilizes an operating system call for information relating to at least one primary process. The relevant information for the present invention is whether the primary process is a currently executing process and the CPU utilization rate for the primary process. The software watchdog process utilizes the operating system call on a periodic basis. The period for making operating system calls depends upon the desired operation of the computer system using the watchdog process. More frequent operating system calls will discover malfunctioning programs more rapidly, but will slow down ordinary operation of the system. At steps 15 and 20, the results of the operating system call are reviewed to determine whether the primary process is functioning properly. At step 15, the watchdog process checks whether the primary process is executing. This determination is made based upon the operating systems' listing of currently operating processes. If the primary process is not executing, the watchdog process begins a recovery procedure at step 30. If the primary process is executing, then, at step 20, the watchdog process determines the CPU usage of the primary process. If the primary process is in a loop such that it is over utilizing CPU time, then the process is determined to be non-functioning. The determination may be based upon a certain utilization amount of CPU time, or may monitor CPU usage over some time period to see an increase. Alternatively, an extremely low CPU utilization may also signify an error and may be used to initiate the recovery process. If the primary process is functioning within expected limits, the watchdog process returns to step 10 to perform another operating system call.

[0017] The recovery procedure within the watchdog process is illustrated in steps 25-60. If the primary process is executing but over utilizing CPU time, the process is first terminated at step 25. The primary process can be terminated using an operating system instruction to stop execution of the primary process. After terminating the primary process (step 25) or if the primary process is not executing (step 15), the watchdog process determines whether a prior failure has occurred at step 30. Preferably, a prior failure is only considered if it occurred within a predetermined time of the current failure. This ensures that the primary process is not repeatedly restarted only to fail again. If a prior failure has not occurred, the watchdog process restarts the primary process at step 60. If a prior failure has occurred, the watchdog process determines whether the present failure is the second failure at step 50. If it is the second failure, the watchdog process checks, at step 40, the configuration files and/or data for the primary process for errors. The watchdog process may also correct the configuration files or data at step 45. Alternatively, the watchdog process may reset the configuration files and/or data to known or initial values. Following correction, the primary process is restarted at step 60.

[0018] If the primary process fails a third time, after the configuration files and data have been corrected, then the watchdog process is unable to correct the error or restart the process. Accordingly, at step 55, a user is notified of the problem. Different types of notification can be used based upon the design of the computer system. For example, if the watchdog process is operating on a personal computer, a pop-up window can be displayed on the monitor with information regarding the problem. Alternatively, for a system attached to a network, an email notification could be provided to a specified user address.

[0019] The software process according to the present invention can operate with any known primary process. Since the determination of failure is based upon information from the operating system, the watchdog process need only have the primary process name as used by the operating system. Additionally, the watchdog process could be used to monitor more than one primary process. Each primary process would be analyzed and restarted, when appropriate, using the procedures as illustrated in FIG. 1. Furthermore, the present invention is not limited to the recovery steps illustrated in FIG. 1. Based upon the computer system and the process or processes being monitored, the watchdog process can be implemented to take any other steps to correct errors or resolve problems in restarting a process. For example, the watchdog process could verify dependencies that the primary process has on other system components, such as required DLLs. Furthermore, the watchdog process may capture and store information regarding operation of the principal process for debugging or failure analysis purposes.

[0020] Since the watchdog process of the present invention is software based, it can be included as a part of any software process. A second embodiment of the present invention is illustrated in FIG. 2. In this embodiment, a secondary watchdog process 140 is embedded in the primary process 100. The secondary watchdog process 140 is used to monitor 130 the primary watchdog process 110. The primary watchdog process 110 is used to monitor 120 the primary process 100. In the first embodiment set forth above, if the primary process 100 fails, the failure is detected by the primary watchdog process 110, and the primary process 100 is restarted. However, if the primary watchdog process 110 were to fail first, then a failure of the primary process 100 would not be detected or corrected. Thus, the secondary watchdog process 140, within the primary process 100, is used to ensure that the primary watchdog process 110 remains functioning. Of course, a secondary watchdog process which is separate from the primary process could also be used, but it would still need to be monitored for proper operation. By embedding the watchdog process in the primary process, only one separate watchdog process is needed to maintain failsafe operation.

[0021] A third embodiment of the present invention is illustrated in FIG. 3. In this embodiment, the primary process 200 is designed to operate in conjunction with the watchdog process 210. The primary process and watchdog process communicate so that the performance of the primary process can be directly monitored. The processes communicate through a TCP/IP connection 220. Upon startup, the primary process 200 and the watchdog process 210 open a TCP/IP connection 220 on the loopback address (127.0.0.1) at a well-known port address. The primary process 200 can the periodically send messages to the TCP/IP connection 220, so that the watchdog process 210 can verify continued operation. The operation of the watchdog process 210 is illustrated in FIG. 4. At step 300, the watchdog process opens a TCP/IP connection with the primary process. At step 310, the watchdog process sends a message to the primary process through the TCP/IP connection. The watchdog process then awaits a reply message from the primary process, step 320. If the reply message is received, the watchdog process sends another message, after an appropriate delay. If the reply message is not received within an expected time, the recovery process is started at step 330. As in the first embodiment, the watchdog process may take different steps in attempting to correct operation of the primary process. At step 330, the watchdog process determines whether the primary process has failed before. If the primary process has not failed before, it is restarted at step 380. If the primary process has failed before (step 340), the watchdog process checks the configuration files and data at step 360 and makes any necessary corrections at step 370. After correction, the primary process is restarted at step 380. If the primary process has failed multiple times, a user is notified of the error at step 350, and the primary process is not restarted.

[0022] Having thus far described at least one illustrative embodiment of the invention, various alterations, modifications and improvements will readily occur to those skilled in the art. Such alterations, modifications and improvements are intended to be within the scope and spirit of the invention. Accordingly, the foregoing description is by way of example only and is not intended as limiting. Accordingly, the invention is defined by the following claims and equivalents thereof. 

What is claimed is:
 1. A method for monitoring a software process in a computer system having an operating system, the method comprising the steps of: issuing a operating system call for information regarding processes being executed by the computer system; determining whether the software process is executing properly based upon the response to the operating system call; restarting the software process when a determination is made that the software process is not executing properly.
 2. The method for monitoring a software process according to claim 1, wherein the determining step includes the steps of: determining whether the software process is identified in the response to the operating system call as an executing process; and determining whether the software process has a proper CPU usage based upon the response to the operating system call.
 3. The method for monitoring a software process according to claim 1, wherein the restarting step includes the step of terminating operation of the software process if it is not executing properly.
 4. The method for monitoring a software process according to claim 1, wherein the restarting step includes the step of correcting information used by the software process prior to restarting the software process.
 5. The method for monitoring a software process according to claim 4, wherein the step of correcting information used by the software process includes the step of verifying dependencies of the software process on system resources.
 6. The method for monitoring a software process according to claim 1, further comprising the step of providing a user notification when a determination is made that the software process is not executing properly.
 7. The method for monitoring a software process according to claim 1, further comprising the step of storing information regarding operation of the software process.
 8. A method for monitoring a software process comprising the steps of: opening a communication channel with the software process; sending a message to the software process on the communication channel, wherein the software process responds to the message; receiving a response to the message; and restarting the software process if a response to the message is not received.
 9. The method for monitoring a software process according to claim 8, wherein the restarting step includes the step of correcting information used by the software process prior to restarting the software process.
 10. A fault tolerant computer system comprising: a central processing unit for executing a plurality of processes; an operating system for controlling the execution of the plurality of processes on the central processing unit and providing information regarding execution of the plurality of processes in response to an operating system call; a first process to be executed on the central processing unit; a second process to be executed on the central processing unit, the second process including: means for issuing an operating system call; means for determining whether the first process is executing properly based upon a response to the operating system call; means for restarting the first process when a determination is made that the first process is not executing properly.
 11. The fault tolerant computer system according to claim 10, wherein the means for determining includes: means for determining whether the first process is identified in the response to the operating system call as an executing process; and means for determining whether the first process has a proper CPU usage based upon the response to the operating system call.
 12. The fault tolerant computer system according to claim 10, wherein the second process further includes means for correcting information used by the first process prior to restarting the first process.
 13. The fault tolerant computer system according to claim 12, wherein the second process further includes means for checking dependencies of the first process on system resources prior to restarting the first process.
 14. The fault tolerant computer system according to claim 10, wherein the second process includes means for storing information regarding operation of the first process.
 15. The fault tolerant computer system according to claim 10, wherein the first process includes: means for issuing an operating system call; means for determining whether the second process is executing properly based upon a response to the operating system call; means for restarting the second process when a determination is made that the first process is not executing properly.
 16. A fault tolerant computer system comprising: a central processing unit for executing a plurality of processes; a communication link allowing communication between two of the plurality of processes executing on the central processing unit; a first process executing on the central processing unit, the first process including means for responding on the communication link to a message received on the communication link when the first process is executing; a second process executing on the central processing unit, the second process including: means for transmitting a message to the first process on the communication link; means for receiving a response on the communication link from the first process; means for restarting the first process when a response is not received. 